[Guide] Locating Silkroad’s Direct3D Objects

[epifriend]

Hi there,

I am very interested in your knowledge ^^

I am currently working on a personal project which would need to list ingame objects. By object I mean complex objects, like mobs, npcs, players, etc... Not simple Vertex or whatever.

Here is how I'm working:
I chose to make a dll proxy. It seemed easier for me to proceed as such.
I tried different ways to make silkroad load my own dll instead of the system one :
patching the sro_client.exe: failed (I was sure the game at least checks this, I tried anyway, it does)
patching the sro_client memory (launch, suspend, patch, resume): failed (I don't understand what happens, but it seems the game detects the patch and loads the real one instead anyway)
replacing the original d3d9.dll: I'm on windows seven, so failed ^^
so finally I installed a VM with XP on it, so I could replace the original d3d9.dll easilly: success (but slower of course)

so I made a dll proxy for d3d9.dll which is working fine. I clear a rect somewhere and I see it. Cool huh?

Anyway,
I'm a complete beginner on directX. From what I found on the internet, I saw that mostly EndScene will be my friend to display additional info.
But now I need a way to detect game's interesting objects. like "how can I detect this is a Mangyang"?

Can you give me a hand on this? I believe it is possible since I remember an ex co-worker added turning bubbles around mobs (blue bubbles on mobs, and red ones when selected). But I have no contact with him any more.

In short: I'm lost now, can you provide me with something to start with?

Thanks!

[recking]

Quote:

Originally Posted by epifriend

I am currently working on a personal project which would need to list ingame objects. By object I mean complex objects, like mobs, npcs, players, etc... Not simple Vertex or whatever.

im not sure, but u will find them with reading packages easier than using directx.

[maxbot]

Quote:

Originally Posted by epifriend

Hi there,

I am very interested in your knowledge ^^

I am currently working on a personal project which would need to list ingame objects. By object I mean complex objects, like mobs, npcs, players, etc... Not simple Vertex or whatever.

Here is how I'm working:
I chose to make a dll proxy. It seemed easier for me to proceed as such.
I tried different ways to make silkroad load my own dll instead of the system one :
patching the sro_client.exe: failed (I was sure the game at least checks this, I tried anyway, it does)
patching the sro_client memory (launch, suspend, patch, resume): failed (I don't understand what happens, but it seems the game detects the patch and loads the real one instead anyway)
replacing the original d3d9.dll: I'm on windows seven, so failed ^^
so finally I installed a VM with XP on it, so I could replace the original d3d9.dll easilly: success (but slower of course)

so I made a dll proxy for d3d9.dll which is working fine. I clear a rect somewhere and I see it. Cool huh?

Anyway,
I'm a complete beginner on directX. From what I found on the internet, I saw that mostly EndScene will be my friend to display additional info.
But now I need a way to detect game's interesting objects. like "how can I detect this is a Mangyang"?

Can you give me a hand on this? I believe it is possible since I remember an ex co-worker added turning bubbles around mobs (blue bubbles on mobs, and red ones when selected). But I have no contact with him any more.

In short: I'm lost now, can you provide me with something to start with?

Thanks!

Try looking for a "Model recognition finder". You would have to get the numvertices for Mangyang and then check if the model being drawn matches the Mangyang. However, this will take an enormous amount of time and you're better off with parsing 0x30D7/0x3417 packets.

[epifriend]

Quote:

Originally Posted by recking

im not sure, but u will find them with reading packages easier than using directx.

I'm sure it is simpler using packets. If I have no other choice I even might do it this way.
But I would prefer not to rely on other tools (I'm talking about nuConnector for instance). I mean, I prefer be the owner the whole chain. And I don't plan on developping myNuConnector

And another point, I intend to have some features like a colored glow (or equivalent) around mobs depending on the level difference between the char and the mob, this kind of stuff. So at one point I'll need to identify all that little people.
If I can't do it using directX only, how can I find the link between a network-object and a list of vertices?

It's more a new challenge for me.

Thanks for your answer anyway, it'll be a solution if I can't do it in my dll only ^^

Quote:

Originally Posted by maxbot

Try looking for a "Model recognition finder". You would have to get the numvertices for Mangyang and then check if the model being drawn matches the Mangyang. However, this will take an enormous amount of time and you're better off with parsing 0x30D7/0x3417 packets.

Said like this, I guess so! But how the guy I told you about could add bubbles around mobs?
There is something I don't get ^^
Thanks

[maxbot]

Quote:

Originally Posted by epifriend

I'm sure it is simpler using packets. If I have no other choice I even might do it this way.
But I would prefer not to rely on other tools (I'm talking about nuConnector for instance). I mean, I prefer be the owner the whole chain. And I don't plan on developping myNuConnector

And another point, I intend to have some features like a colored glow (or equivalent) around mobs depending on the level difference between the char and the mob, this kind of stuff. So at one point I'll need to identify all that little people.
If I can't do it using directX only, how can I find the link between a network-object and a list of vertices?

It's more a new challenge for me.

Thanks for your answer anyway, it'll be a solution if I can't do it in my dll only ^^




Said like this, I guess so! But how the guy I told you about could add bubbles around mobs?
There is something I don't get ^^
Thanks

Once you find the Mangryang or any other monster, you could use either world or screen coordinates to put up your own objects in the game. You can read my guide (Making a Silkroad ingame GUI) on how is adding 2D objects done, altho it's not what you really want.

[epifriend]

Ok thanks, I'll have a look into it. I'm not in a hurry, it's more a challenge for me...

[pushedx]

Quote:

Originally Posted by epifriend

I am currently working on a personal project which would need to list ingame objects. By object I mean complex objects, like mobs, npcs, players, etc... Not simple Vertex or whatever.

As mentioned, trying to use the DirectX DLL only would be very impractical for such a task and would not get you anything useful. Instead you must find the entity processing function in the client and hook it. Finding it is not too hard, just trace through the group spawn and individual spawn packet functions!

From there, you can store the ID of the entity. After you have a list of IDs, you then have to find the function that will return the object pointer based on the entity ID. This operation is more or less a std::map access. Once you have the object pointer, you can get all of the entities data from type, position, and anything else useful that's needed in the game.

That is the method I am using right now to be able to get all entities around the player as well as their real-time positions. It is very useful and works well. You also need to hook the entity remove function to know when to remove entity IDs as well! If you don't you'll crash the client trying to get the object pointer of an entity that does not exist!

[maxbot]

I wish I know reversing as you do :|

Wouldn't have to bother with spawn packets, altho I almost got them parsed thanks to Bot90210.

I'm going to take a look into this entity processing function, I may actually find something

Totally OT, but seems debugging can be enabled in SRO. If I'd just knew where is stuff outputed.

Code:

006A6A28  |. /74 14         JE SHORT sro_clie.006A6A3E
006A6A2A  |. |68 E845C300   PUSH sro_clie.00C345E8                                  ;  UNICODE "DebugMsg On"
006A6A2F  |. |68 00010000   PUSH 100
006A6A34  |. |8D8C24 C40200>LEA ECX,DWORD PTR SS:[ESP+2C4]
006A6A3B  |. |51            PUSH ECX
006A6A3C  |. |EB 12         JMP SHORT sro_clie.006A6A50
006A6A3E  |> \68 CC45C300   PUSH sro_clie.00C345CC                                  ;  UNICODE "DebugMsg Off"
006A6A43  |.  68 00010000   PUSH 100

[Vegetta91]

What other marker can i use instead of nop's? I tried the max allowed commands by olly witch is 8 consecutive nop's but it still finds over 100 matches. Could I use some JMP's? Thnx for the tutorials

[TheSpy]

Quote:

Originally Posted by Vegetta91

What other marker can i use instead of nop's? I tried the max allowed commands by olly witch is 8 consecutive nop's but it still finds over 100 matches. Could I use some JMP's? Thnx for the tutorials

NOP = No OPeration. JMP = JuMP.

[Vegetta91]

I know what they mean just don't know what they do... im n00b at reverse engeneering

[jM3]

It's generally easier to codecave or hook Direct3DCreateX api. From there, you can either do vtbl hooking (they're COM objects, purely virtual, every function is, as in the documentation, in the vtable). You can also just use it to poison the game's D3D object pointers to your own class wrapper around the COM objects.

I find these methods more general and simpler. You don't have to 'find' anything, you just hook it anyway .



Oh ****, schlurmann beat me to it :|.. by a lot :|..